A Comprehensive Literature Review of Penetration Testing &amp; Its Applications

Vats, Prashant; Mandot, Manju; Gosain, Anjana

doi:10.1109/icrito48877.2020.9197961

Cited by 19 publications

(5 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Proxy tools [29] are essential in mobile penetration testing for intercepting and analyzing traffic between the mobile application and the backend server. Table 6 highlights two widely used proxy tools.…”

Section: Proxy Toolsmentioning

confidence: 99%

Enhancing Mobile Security through Comprehensive Penetration Testing

Roshanaei

2024

JIS

View full text Add to dashboard Cite

In today's era, where mobile devices have become an integral part of our daily lives, ensuring the security of mobile applications has become increasingly crucial. Mobile penetration testing, a specialized subfield within the realm of cybersecurity, plays a vital role in safeguarding mobile ecosystems against the ever-evolving landscape of threats. The ubiquity of mobile devices has made them a prime target for cybercriminals, and the data and functionality accessed through mobile applications make them valuable assets to protect. Mobile penetration testing is designed to identify vulnerabilities, weaknesses, and potential exploits within mobile applications and the devices themselves. Unlike traditional penetration testing, which often focuses on network and server security, mobile penetration testing zeroes in on the unique challenges posed by mobile platforms. Mobile penetration testing, a specialized field within cybersecurity, is an essential tool in the Cybersecurity specialists' toolkit to protect mobile ecosystems from emerging threats. This article introduces mobile penetration testing, emphasizing its significance, including comprehensive learning labs for Android and iOS platforms, and highlighting how it distinctly differs from traditional penetration testing methodologies.

show abstract

Section: Proxy Toolsmentioning

confidence: 99%

Enhancing Mobile Security through Comprehensive Penetration Testing

Roshanaei

2024

JIS

View full text Add to dashboard Cite

show abstract

“…Pen-testing enables the person carrying out PEN-testing to check out the system's functional aspects, that is, the extent to which a system is vulnerable to network security and intrusion attacks, and view the system's defense mechanisms to mitigate these attacks. The authors of [9] conducted a comprehensive literature review of pen-testing and its applications. The study reviewed the work conducted in the field of pen-testing.…”

Section: Related Workmentioning

confidence: 99%

An Empirical Comparison of Pen-Testing Tools for Detecting Web App Vulnerabilities

2022

View full text Add to dashboard Cite

Today, one of the most popular ways organizations use to provide their services, or broadly speaking, interact with their customers, is through web applications. Those applications should be protected and meet all security requirements. Penetration testers need to make sure that the attacker cannot find any weaknesses to destroy, exploit, or disclose information on the Web. Therefore, using automated vulnerability assessment tools is the best and easiest part of web application pen-testing, but these tools have strengths and weaknesses. Thus, using the wrong tool may lead to undetected, expected, or known vulnerabilities that may open doors for cyberattacks. This research proposes an empirical comparison of pen-testing tools for detecting web app vulnerabilities using approved standards and methods to facilitate the selection of appropriate tools according to the needs of penetration testers. In addition, we have proposed an enhanced benchmarking framework that combines the latest research into benchmarking and evaluation criteria in addition to new criteria to cover more ground with benchmarking metrics as an enhancement for web penetration testers and penetration testers in real life. In addition, we measure the tool’s abilities using a score-based comparative analysis. Moreover, we conducted simulation tests of both commercial and non-commercial pen-testing tools. The results showed that Burp Suite Professional scored the highest out of the commercial tools, while OWASP ZAP scored the highest out of the non-commercial tools.

show abstract

“…How to build attack chains and use all collected information after emulation for security awareness of organization. [8] 2020 lack of realism Static VAPT Audit and implementation [9] 2020 lack of methodology Static VAPT literature review [10] 2020 Limited scope Static Cyber attack emulation agents [11] 2020 Limited scope Static Learning associations of adversary techniques [12] 2020 lack of methodology Static CTI for improving adversary understanding [13] 2020 lack of methodology Static Zero entry hacking and misconfigurations on VAPT [14] 2019 lack of realism Static VAPT as Cyber defense [15] 2019 Limited scope known VAPT for web app and network [16] 2019 Limited scope known Post exploitation Agentless VAPT and Automation [17] 2019 Limited scope known Bird eye view penetration testing knowledge [18] 2019 lack of methodology known Concept of cyber defense exercise CDX [19] 2018 lack of methodology known Enhancing automotive penetration testing [20] 2018 LImited scope known Redefining VAPT [16] 2018 no methodology known Cyber kill chain and cyber ops [21] 2018…”

Section: Related Workmentioning

confidence: 99%

Offensive Security: Towards Proactive Threat Hunting via Adversary Emulation

et al. 2021

View full text Add to dashboard Cite

Attackers increasingly seek to compromise organizations' systems and data with advanced methods, often utilising legitimate tools. In the main, organisations employ reactive approaches to cyber security, focused on rectifying immediate incidents and preventing repeat attacks, through protections such as Security Information and Event Management (SIEM), firewalls, anti-spam/anti-malware solutions and system patches have been demonstrated to have significant weaknesses in addressing modern attacks. Proactive approaches, have been seen as part of the solution to this problem. However, techniques such as vulnerability and penetration testing (VAPT) are recognised as having limited scope and only working with threats that have already been discovered. Promising methods such as threat hunting are gaining momentum, enabling organisations to identify and rapidly respond to any potential attacks, though they have been criticised for their significant cost. In this paper, we present a novel model for uncovering tactics, techniques, and procedures (TTPs) through offensive security, specifically threat hunting via adversary emulation. The proposed technique is based on a novel approach of inducing adversary emulation (mapping each respective phase) model inside the threat hunting approach. The experimental results show that the proposed approach exploits the threat hunting via adversary emulation and has countervailing effects on hunting advance level threats. Moreover, the threat detection ability of the proposed approach utilizes minimum resources. The proposed approach can be exploited to develop the offensive security-aware environment for organizations to uncover advanced attack mechanisms and test their ability for attack detection.

show abstract

A Comprehensive Literature Review of Penetration Testing & Its Applications

Cited by 19 publications

References 6 publications

Enhancing Mobile Security through Comprehensive Penetration Testing

Enhancing Mobile Security through Comprehensive Penetration Testing

An Empirical Comparison of Pen-Testing Tools for Detecting Web App Vulnerabilities

Offensive Security: Towards Proactive Threat Hunting via Adversary Emulation

Contact Info

Product

Resources

About